summaryrefslogtreecommitdiff
path: root/libpam
diff options
context:
space:
mode:
authorDmitry V. Levin <ldv@altlinux.org>2010-10-03 21:00:53 +0000
committerDmitry V. Levin <ldv@altlinux.org>2010-10-03 21:00:53 +0000
commit0b1055f64657dc0bf175f75c23470b2be7630451 (patch)
treef5957bb81fcfcf982d122c1d8ebdd4c81be9b73a /libpam
parentc388a2730d012b5101d264c83f8db586acd3a70c (diff)
Relevant BUGIDs:
Purpose of commit: bugfix Commit summary: --------------- 2010-10-04 Dmitry V. Levin <ldv@altlinux.org> * libpam/pam_modutil_priv.c: New file. * libpam/Makefile.am (libpam_la_SOURCES): Add it. * libpam/include/security/pam_modutil.h (struct pam_modutil_privs, PAM_MODUTIL_DEF_PRIVS, pam_modutil_drop_priv, pam_modutil_regain_priv): New declarations. * libpam/libpam.map (LIBPAM_MODUTIL_1.1.3): New interface. * modules/pam_env/pam_env.c (handle_env): Use new pam_modutil interface. * modules/pam_mail/pam_mail.c (_do_mail): Likewise. * modules/pam_xauth/pam_xauth.c (check_acl, pam_sm_open_session, pam_sm_close_session): Likewise. (pam_sm_open_session): Remove redundant fchown call. Fixes CVE-2010-3430, CVE-2010-3431.
Diffstat (limited to 'libpam')
-rw-r--r--libpam/Makefile.am3
-rw-r--r--libpam/include/security/pam_modutil.h24
-rw-r--r--libpam/libpam.map6
-rw-r--r--libpam/pam_modutil_priv.c170
4 files changed, 202 insertions, 1 deletions
diff --git a/libpam/Makefile.am b/libpam/Makefile.am
index 57bd8109..57080fcf 100644
--- a/libpam/Makefile.am
+++ b/libpam/Makefile.am
@@ -41,4 +41,5 @@ libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \
pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \
pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \
pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \
- pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c
+ pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \
+ pam_modutil_priv.c
diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h
index ffdf5ad0..317202de 100644
--- a/libpam/include/security/pam_modutil.h
+++ b/libpam/include/security/pam_modutil.h
@@ -100,6 +100,30 @@ pam_modutil_write(int fd, const char *buffer, int count);
extern int PAM_NONNULL((1,3))
pam_modutil_audit_write(pam_handle_t *pamh, int type,
const char *message, int retval);
+
+struct pam_modutil_privs {
+ gid_t *grplist;
+ int number_of_groups;
+ int allocated;
+ gid_t old_gid;
+ uid_t old_uid;
+ int is_dropped;
+};
+
+#define PAM_MODUTIL_NGROUPS 64
+#define PAM_MODUTIL_DEF_PRIVS(n) \
+ gid_t n##_grplist[PAM_MODUTIL_NGROUPS]; \
+ struct pam_modutil_privs n = { n##_grplist, PAM_MODUTIL_NGROUPS, 0, -1, -1, 0 }
+
+extern int PAM_NONNULL((1,2,3))
+pam_modutil_drop_priv(pam_handle_t *pamh,
+ struct pam_modutil_privs *p,
+ const struct passwd *pw);
+
+extern int PAM_NONNULL((1,2))
+pam_modutil_regain_priv(pam_handle_t *pamh,
+ struct pam_modutil_privs *p);
+
#ifdef __cplusplus
}
#endif
diff --git a/libpam/libpam.map b/libpam/libpam.map
index 9d55e84f..b0885d65 100644
--- a/libpam/libpam.map
+++ b/libpam/libpam.map
@@ -61,3 +61,9 @@ LIBPAM_MODUTIL_1.1 {
global:
pam_modutil_audit_write;
} LIBPAM_MODUTIL_1.0;
+
+LIBPAM_MODUTIL_1.1.3 {
+ global:
+ pam_modutil_drop_priv;
+ pam_modutil_regain_priv;
+} LIBPAM_MODUTIL_1.1;
diff --git a/libpam/pam_modutil_priv.c b/libpam/pam_modutil_priv.c
new file mode 100644
index 00000000..88094f63
--- /dev/null
+++ b/libpam/pam_modutil_priv.c
@@ -0,0 +1,170 @@
+/*
+ * $Id$
+ *
+ * This file provides two functions:
+ * pam_modutil_drop_priv:
+ * temporarily lower process fs privileges by switching to another uid/gid,
+ * pam_modutil_regain_priv:
+ * regain process fs privileges lowered by pam_modutil_drop_priv().
+ */
+
+#include "pam_modutil_private.h"
+#include <security/pam_ext.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <pwd.h>
+#include <grp.h>
+#include <sys/fsuid.h>
+
+/*
+ * Two setfsuid() calls in a row are necessary to check
+ * whether setfsuid() succeeded or not.
+ */
+static int change_uid(uid_t uid, uid_t *save)
+{
+ uid_t tmp = setfsuid(uid);
+ if (save)
+ *save = tmp;
+ return (uid_t) setfsuid(uid) == uid ? 0 : -1;
+}
+static int change_gid(gid_t gid, gid_t *save)
+{
+ gid_t tmp = setfsgid(gid);
+ if (save)
+ *save = tmp;
+ return (gid_t) setfsgid(gid) == gid ? 0 : -1;
+}
+
+static int cleanup(struct pam_modutil_privs *p)
+{
+ if (p->allocated) {
+ p->allocated = 0;
+ free(p->grplist);
+ }
+ p->grplist = NULL;
+ p->number_of_groups = 0;
+ return -1;
+}
+
+#define PRIV_MAGIC 0x1004000a
+#define PRIV_MAGIC_DONOTHING 0xdead000a
+
+int pam_modutil_drop_priv(pam_handle_t *pamh,
+ struct pam_modutil_privs *p,
+ const struct passwd *pw)
+{
+ int res;
+
+ if (p->is_dropped) {
+ pam_syslog(pamh, LOG_CRIT,
+ "pam_modutil_drop_priv: called with dropped privileges");
+ return -1;
+ }
+
+ /*
+ * If not root, we can do nothing.
+ * If switching to root, we have nothing to do.
+ * That is, in both cases, we do not care.
+ */
+ if (geteuid() != 0 || pw->pw_uid == 0) {
+ p->is_dropped = PRIV_MAGIC_DONOTHING;
+ return 0;
+ }
+
+ if (!p->grplist || p->number_of_groups <= 0) {
+ pam_syslog(pamh, LOG_CRIT,
+ "pam_modutil_drop_priv: called without room for supplementary groups");
+ return -1;
+ }
+ res = getgroups(0, NULL);
+ if (res < 0) {
+ pam_syslog(pamh, LOG_ERR,
+ "pam_modutil_drop_priv: getgroups failed: %m");
+ return -1;
+ }
+
+ p->allocated = 0;
+ if (res > p->number_of_groups) {
+ p->grplist = calloc(res, sizeof(gid_t));
+ if (!p->grplist) {
+ pam_syslog(pamh, LOG_ERR, "out of memory");
+ return cleanup(p);
+ }
+ p->allocated = 1;
+ p->number_of_groups = res;
+ }
+
+ res = getgroups(p->number_of_groups, p->grplist);
+ if (res < 0) {
+ pam_syslog(pamh, LOG_ERR,
+ "pam_modutil_drop_priv: getgroups failed: %m");
+ return cleanup(p);
+ }
+
+ p->number_of_groups = res;
+
+ /*
+ * We should care to leave process credentials in consistent state.
+ * That is, e.g. if change_gid() succeeded but change_uid() failed,
+ * we should try to restore old gid.
+ */
+ if (setgroups(0, NULL)) {
+ pam_syslog(pamh, LOG_ERR,
+ "pam_modutil_drop_priv: setgroups failed: %m");
+ return cleanup(p);
+ }
+ if (change_gid(pw->pw_gid, &p->old_gid)) {
+ pam_syslog(pamh, LOG_ERR,
+ "pam_modutil_drop_priv: change_gid failed: %m");
+ (void) setgroups(p->number_of_groups, p->grplist);
+ return cleanup(p);
+ }
+ if (change_uid(pw->pw_uid, &p->old_uid)) {
+ pam_syslog(pamh, LOG_ERR,
+ "pam_modutil_drop_priv: change_uid failed: %m");
+ (void) change_gid(p->old_gid, NULL);
+ (void) setgroups(p->number_of_groups, p->grplist);
+ return cleanup(p);
+ }
+
+ p->is_dropped = PRIV_MAGIC;
+ return 0;
+}
+
+int pam_modutil_regain_priv(pam_handle_t *pamh,
+ struct pam_modutil_privs *p)
+{
+ switch (p->is_dropped) {
+ case PRIV_MAGIC_DONOTHING:
+ p->is_dropped = 0;
+ return 0;
+
+ case PRIV_MAGIC:
+ break;
+
+ default:
+ pam_syslog(pamh, LOG_CRIT,
+ "pam_modutil_regain_priv: called with invalid state");
+ return -1;
+ }
+
+ if (change_uid(p->old_uid, NULL)) {
+ pam_syslog(pamh, LOG_ERR,
+ "pam_modutil_regain_priv: change_uid failed: %m");
+ return cleanup(p);
+ }
+ if (change_gid(p->old_gid, NULL)) {
+ pam_syslog(pamh, LOG_ERR,
+ "pam_modutil_regain_priv: change_gid failed: %m");
+ return cleanup(p);
+ }
+ if (setgroups(p->number_of_groups, p->grplist)) {
+ pam_syslog(pamh, LOG_ERR,
+ "pam_modutil_regain_priv: setgroups failed: %m");
+ return cleanup(p);
+ }
+
+ p->is_dropped = 0;
+ cleanup(p);
+ return 0;
+}